As religious affiliation comes under ‘special categories of data’ (along with other potentially sensitive information pertaining to race, political affiliation, etc), some larger churches may be required to appoint a DPO if they are processing a lot of records.

You are free to appoint a DPO even if you are not legally required to do so. However, if you do appoint one, you must ensure that they have the relevant experience and seniority to take the lead on all matters within the church relating to data protection. They do not need to have any specific qualifications, but they must have professional experience and a good knowledge of data protection law.

Even if you are not going to appoint an official DPO, you will need to decide who church members should contact if they want to exercise any of their rights under GDPR. The ICO suggests the term 'data protection lead'. This person or persons should also be responsible for gathering and monitoring the relevant consent. You should name this person in your church Privacy Policy so everyone knows who they should contact if they have any data-related concerns.

GDPR Advice from iKnow ChurchPart of the UK’s leading Christian Software Company